Support accessWhat support sees inside your firm — and what stays hidden.
Once a tenant is provisioned, the engineer who built blankit can’t open it the way a senior advisor at your firm can. The day-to-day product is firmId-scoped at the database layer: cross-firm reads aren’t a permission to grant, they aren’t a code path.
The exception is support. When a problem inside your data needs an engineer, the platform admin can start a read-only impersonation session that lasts thirty minutes. The session is two things at once: gated against writes at the edge middleware, and rewritten at the data layer.
Stays visible
- Carriers
- Dollars and loss ratios
- Dates and headcount
- Benefit lines and provinces
- The shape of every page
Replaced or redacted
- Client and contact names →
Client-XXXX - Emails and phone numbers
- Document titles and filenames
- Policy and group numbers
- Free-text blobs (notes, JSON)
Pseudonyms are deterministic — the same client gets the same code across pages, sessions, and refreshes. That way a support conversation can reference a specific case without exposing identity. Every session start and end is recorded in the audit log under the operator’s identity. See exactly how on the Trust & security page.